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REMARKS 

The Examiner has rejected Claims 1-9 and 12-35 under 35 U.S.C. 101 as being 
directed towards non-statutory subject matter. Specifically, the Examiner has argued that 
"Claims I, 20 and 30 are directed toward an intrusion detection system" and that "ft]he 
claimed steps do not result in a tangible result." Applicant respectfully disagrees and 
asserts that, in fact, independent Claim 1 claims a "computer-implemented method," and 
independent Claim 30 claims a "computer program product embodied on a computer 
readable medium; ' as claimed. 

Applicant further emphasizes that independent Claims 1 and 20 recite " generating 
classification rules " and "selecting] an action to be performed on said classified packets" 
(emphasis added - see this or similar, but not necessarily identical language in the 
aforementioned independent claims). Clearly, applicant's independent Claims 1 and 20 
produce a tangible result, such as, for example, generated classification rules and a 
selected action to be performed, in the context claimed by applicant. Additionally, in 
Claim. 20, applicant claims "selectfing] an action to be performed on said classified 
packets" (emphasis added), as claimed. Applicant respectfully asserts that selecting an 
action to be performed, as claimed, provides a tangible result. 

The Examiner has rejected Claims I, 3-9, 13-19, 30, and 31-35 under 35 U.S.C. 
103(a) as being unpatentable over Vaidya (U.S. Patent No. 6,279,1 13 Bl), in view of 
McRae (U.S. Patent No. 6,970,462 Bl ). Further, the Examiner has rejected Claims 20-29 
under 35 U.S.C 103(a) as being unpatentable over Copel and, HI (U.S. Publication No. 
200.2/01441 56 A !.), in view of McRae (U.S. Patent No. 6,970,462 B 1 ). Applicant 
respectfully disagrees with such rejections, especially in view of the amendments made 
hereinabove to the independent claims. Specifically, applicant has amended the 
independent claims to at least substantially include the subject matter of at least a portion 
of dependent Clai m s 3 1 and 32. 



To establish & prima facie case of obviousness, three basic criteria must be met 
First there must be some suggestion or motivation, either in the so en net s themselves or 
in the km wk i t to one of ordinary skill in the art, to modify the 

reference or to combine reference teachings. Second, there must he a reasonable 
expectation of success. Finally, the prior art reference (or references when combined) 
must teach or suggest all the claim limitations. The teaching or suggestion to make the 
claimed combination and the reasonable expectation of success must both be found in the 
prior art and not based on applicant's disclosure. In re Vaeck, 947 F.2d 488, 20 USPQ2d 
1438 (Fed.Cir. 1991). 

With respect to the first element of the prima facie case of obviousness and, in 
particular, the obviousness of combining the Vaidya and McRae references, the Examiner 
has argued that "it would have been obvious. . . to employ the teachings of McRae within 
the system of Vaidya in order to enhance the performance and efficiency of the system." 
Applicant disagrees and respectfully asserts that it would not have been obvious to 
combine the teachings of the Vaidya and McRae references, especially in view of the vast 
evidence to the contrary. 

For example, Vaidya relates to an intrusion detection system that utilizes attack 
signature profiles , while McRae relates to classifying packets based on an access control 
list. To simply glean features from a classification system that utilizes an access control 
list, such as that of McRae, and combine the same with the mm-analogous art of an 
intrusion detection system that utilizes attack signature profiles, such as that of Vaidya, 
would simply be improper. Attack signature profiles i; are each descriptive of identifiable 
characteristics associated with particular network intrusion attempts" (Vaidya-Col. 3, 
lines 12-16), whereas in access control lists, access to specific source and/or destination 
addresses are denied (McRae-Col. 6, lines 12-18). "In order to rely on a reference as a 
basis for rejection of an applicant's invention, the reference must either be in the field of 
applicant's endeavor or, if not, then be reasonably pertinent to the particular probl em with 
which the inventor was concerned." In re Oetiker, 977 F.2d 1443, 1446, 24 USPQ2d 
1443, 1445 (Fed. Cir. 1992). See also In re Deminski, 796 F.2d 436, 230 USPQ 3 1 3 (Fed. 
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Cir. 1986); tare Clay, 966 F.2d656, 659,23 USPQ2d 1058, 1060-61 (Fed. Cat. 1992) in 
<, sew of the \ astl v dif m types of problems an intrusion detection system which 
utilizes attack signature .jprptl leg addresses as opposed to a classification system which 
utilizes an access control list, the Examiners proposed combination is inappropriate. 

Moreover, applicant respectfully asserts that the McRae reference even teaches 
away from applicant's specific claim language. In particular, McRae relates to 
classifying packets based on an access control list where such access control list controls 
access (by allowing or denying access) to specific source and/or destination addresses 
(McRae-Col. 6, lines 12-18). Applicant, however, claims '"signature profiles identifying 
patterns associated vithn vorj intrusions md v 'comparing said classified packets to at 
least a subset of the signature profiles" (seethe independent claims-emphasis added). 
Clearly, using an access control list, as in McRae, teaches (way from using signature 
profiles, as applicant claims Applicant respectfully points out that a prima facie case of 
obviousness may also be rebutted by showing that the art, in any material respect, teaches 
away from the claimed invention, hi re Geiskr, 1 16 F.3d 1 465, 54? 1 , 43 USPQ2d 1 362, 
1366 (Fed. Cir. 1997). 

Thus, applicant respectfully asserts that the first element of the prima javie case of 
obviousness has not been met, as noted above. More importantly, applicant also 
respectfully asserts that the third element of the prima facie case of obviousness has not 
been met by the prior art reference excerpts relied on by the Examiner. 

For example, with respect to independent Claims 1 and 30, the Examiner has 
relied on Col. 5, lines 24-59; and Col. 8, line 62 - Col. 9, line 6 from McRae to make a 
prior art showing of applicant's claimed technique "wherein the classification is carried 
out by a first classification stage capable of classifying the data packets based on a first 
set of packet characteristics, and a second classification stage capable of classifying the 
data packets received from the first classification stage based on a second set of 
characteristics" (see this or similar, but not necessarily identical language in the 
aforementioned independent claims). 
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Applicant respectfully asserts that the excerpts from McRae relied on by the 
Examiner merely teach that "the packet header involved in the packet classification is 
divided into sections (fields) such as 1 6 bit portions'^ and that "[o]nce, this is performed, 
a data lookup table is built for each of the packet header fields" (Co!. 5, lines 27-30). 
Additionally, the excerpts teach that "the created data lookup tables, typically, one for 
each packet header field, is merged two at a time to form intermediate second level data 
lookup tables, if any" (Col. 5, lines 32-35) and thaf "[t]he second level data lookup tables 
are then merged two at a time to form intermediate third level lookup tables" (Col. 5, 
Sines 37-39). Further, McRae teaches that "ftjhe merging proceeds until one final data 
lookup table is formed" (Col. 5, lines 39-40) and "[t]he results in the final data lookup 
table represent al! the possible packets to be classified" (Col. 5, lines 44-46). 

However, simply disclosing that "ftjhe merging [of data tables] proceeds until one 
final data lookup table is formed" and that "[tjhe results in the final data lookup table 
represent all the possible packets to ed (emphasis added), as in McRae, fails to 

even suggest a technique "wherein the classification is carried out by a first clasM Ocai on 
stage capable of cl assifying the data packets based on , a first set of packet 
characteristics , and a second clas si fication stage capable of classifying the data packets 
recei ved from the first classification stage based on a second set of characteristics " 
(emphasis added), as claimed by applicant. Clearly, McRae teaches using such final data 
lookup table to classify packets, which does not specifically relate to the classification 
process itself, and therefore cannot meet applicant's claimed technique by which "the 
classification is carried out," as claimed by applicant. 

Additionally, the excerpts from McRae relied on by the Examiner also teach that 
"each packet header entry has a bitmap representing the filtering rules that matches this 
entry 1 ' and that "[tjhe bitmap can be used to selectively provide a desired result of the 
classification" (Col. 5, lines 46-49). Further, in Col. 8, lines 62-66, McRae teaches that 
"[the] final equi valence set provides all the theoretical possible combinations of rules 
given any packet header values, and for any of these possible outcomes, there is a bitmap 
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indicating which rules are matching" and that "[bjy doing a find-first-set on the bitmap, 
the first matching Rile can be obtained/' 

However, dist I ing thai "each packet header entry has a bitmap representing the 
filtering rules that matches this entry" and that "[t'Jhe bitmap can be used to selectively 
provide a desired result of the classification' (emphasis added), as i n McRae, fails to 
e\ en suggest a firs 1 I , - s based on 

a first set of packet characteristics, and a second classification stage capable of 
classifying the data packets received from the first classification stage based on a second 
set of characteristics '^ (emphasis added), as claimed by applicant. Applicant emphasizes 
that McRae simply fails to even suggest "a first classification stage... and a second 

_i* j stage not to mention that the "first classification stage [is] capable of 
classifying the data packets based on a first set of packet characteristics " and that the 
"second classification stage [isj capable of classifying the data packets received from the 
first classification stage based on a second set of characteristics " { emphasis added), as 
claimed by applicant. 

Still yet, it seems the Examiner has also relied on Official Notice in rejecting 
applicant's above emphasized claim language by stating that "classification of data 
packets with multi-level stages is well known in the art, which has the advantage of 
enhancing the performance efficiency of the system." The Examiner has further relied on 
McRae as an example to support such rejection, however, as noted above, McRae fails to 
disclose applicant's specifically claimed technique Even assuming arguendo that the 
Examiner's assertion is correct, applicant respectfully points out that merely alleging that 
"classification of data packets with multi-level stages is well known in the art," as alleged 
by the Examiner, fads to rise to the level of specificity of applicant's claim language, 
namely "a first classification stage capable of classifying the data packets based, on a. first 
set oi pac ku I >tics. and a second classification stage capable of classifying the 
data packets received from the first classification stage based on a second set of 
characteristics " (emphasis added), as claimed. 
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Thus, applicant formally requests a specific showing of the subject matter hi ALL 
of the claims in any future action. Note excerpt from MPEP below. 

"if the applicant traverses such an [Official Notice] assertion the examiner should 
cite a reference in support of his or her position." See MPEP 2144.03. 

With respect, to independent Claim 20, the Examiner has relied on paragraphs 
01 57 - 01 59 and 0163 - 0165 from the Copeland reference, in addition to Col. 5, lines 24- 
59 and Col. 8, line 62 - Col. 9, line 6 in McRae to make a prior art showing of applicant's 
claimed "detection engine operable to perform a table lookup at the flow table to select 
an action to be performed on said classified packets based on the classification, wherein 
comparing said classified packets to at least a subset of the signature profiles is one of the 
actions." 

Applicant respectfully asserts that the excerpts from Copeland relied on by the 
Examiner merely disclose that "the flow collector thread. . .searches linearly through the 
entire flow data structure ... to find flows that have been inactive for a certain time 
period" after which "a logic tree analysis is done to classify [the inactive flows] as either 
a normal flow, or a potential probe or other suspicious activity" (paragraph 0157 
emphasis added). Further, the excerpts teach that "[f]he packet classifier thread 610 
collects information on network operations such as packets and bytes" and that "[t]he 
alert manager thread 630 writes the updated data to various output files for use by the 
user interface" (paragraph 0165 - emphasis added). 

However, merely teaching the classification, of inactive flows and the writing of 
updated data to out put files , as in Copeland, fails to teach "a detection engine operable to 
perform a table lookup at the flow table to sel ect an ac.ti on to be pert; orm ed on said 

ed j i s li l i ' <- f oj < en sugges >mparin 

classified packets to at least a subset of the signature profiles" (emphasis added), as 
claimed by applicant Applicant respectfully asserts that simply nowhere in the excerpts 
relied on by the Examiner is there any teaching or suggestion of" selecting] an action to 



- 14- 



be performed on said classified packets based on the classification [and] comparing said 
classified packets to at. least, a subset of the signature profiles," as applicant claims. 

Furthermore, the excerpts from McRae relied on by the Examiner simply relate to 
"'the creation of data tables for header values that match against a set of classification 
rules" (Col. 5, lines 24-26), and "providing] all the theoretical possible combinations of 
rules given any packet header values. . . [such] that there is a bitmap indicating which rules 
are matching" (Col. 8. lines 62-65). Applicant respectfully asserts that simply teaching 
dentil ng classify ion rules that match header values, as i.n McRae, fails to even 
suggest any sort of "action to be performed on said classified packets," in addition to a 
"comparison of] said classified packets to at least a subset of the signature profiles," as 
applicant claims. 

Additionally, with respect to independent Claim 20, the Examiner has relied on 
Co!. 5, lines 24-59; and Col. 8, line 62 - Col. 9, line 6 from McRae to make a prior art 
showing of applicant's claimed "signature classifier comprising a first stage classifier 
operable to classify packets according to at least one packet field into groups and a 
second stage classifier operable to classify said packets within each of the groups 
according to packet type or size " 

Applicant respectfully asserts that the excerpts relied upon by the Examiner 
generally teach "an exemplary procedure that allows for the creation of data tables for 
header values that match against a set of classification rules" (Col. 5, lines 24-26) and 
that "[t]he results in the final data lookup table represent all the possible packets to be 
classified/' However, the excerpts relied upon by the examiner fad to even suggest "a 
signature classifier comprising a first stage classifier operable to classify packets 
according to.at.least one. packet, field into groups and a second stage classifier operable 
to classify said packets within each of the groups accord ag to paj I et typ j oj size " 
(emphasis added), as claimed by applicant. Clearly, McRae teaches using such final data 
lookup table to classify packets, which does not specifically relate to the classification 
process itself, and therefore cannot meet applicant's claimed " first stage classifier 
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operahle to classifs packets according to at k-aM u n ' nto groups and a 

seco i iid iii s|a i ge iii cJasslfier operable to classify said packets within each of the groups 
nu to packet type or size ' (emphasis added), as claimed by applicant. 

Additionally, the excerpts from McRae relied on by the Examiner teach that "each 
packet header entry has a bitmap representing the filtering rules that matches this entry" 
and that "[f]he bitmap can be used to selectively provide a desired result of the 
classification" (Col. 5, lines 46-49). Further, in Col. 8, lines 62-66, McRae teaches that 
"[the] final equivalence set provides all the theoretical possible combinations of rules 
given any packet header values, and for any of these possible outcomes, there is a bitmap 
indicating which rules are matching" and that "fb]y doing a find -first-set on the bitmap, 
the first matching rule can be obtained." 

However, disclosing that "each packet header entry has a bitmap representing the 
filtering rules that matches this entry" and that "[tjhe bitmap can be used to selectively 
provide a desired result, of the classification" (emphasis added), as i n McRae, fails to 
even suggest "a first stage classifier operable to classify packets accordin g to at least one 
packet field into groups and a second stage classifier operable to classify said packets 
within each of the groups according to packet type or size'" (emphasis added), as claimed 
by applicant. 

Still yet, it seems the Examiner has also relied on Official Notice in rejecting 
applicant's above emphasized claim language by stating that "classification of data 
packets with multi-level stages is well known in the art, which has the advantage of 
enhancing the performance efficiency of the system " The Examiner has further relied on 
McRae as an example to support such rejection, however, as noted above, McRae fails to 
disclose applicant's specifically claimed technique. In addition, applicant respectfully 
points out. that merely alleging that "classification of data packets with multi-level stages 
is well known in the art," as alleged by the Examiner, fails to rise to the level of 
specificity of applicant's claim language, namely "a first y a . la >ifier operable to 
classify packets according to at least one packet field into groups and a second stage 
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classifler operable to classify said packets within each of the groups according to packet 
type or size" (emphasis added), as claimed. 

Applicant again formally requests a specific showing of the subject matter in ALL 
of the claims in any future action. Note excerpt from MPEP cited above. 

To this end, applicant respectfully asserts that at least the first and third elements 
of the prima facte case of obviousness have not been met, since it would be unohvious to 
combine the references, and the prior art reference excerpts, as relied upon by the 
Examiner, fail to teach or suggest all of the claim limitations, as noted above. 
Nevertheless, despite such paramount deficiencies and in the spirit of expediting the 
prosecution of the present application, applicant has at least substantially incorporated at 
least a portion of the subject matter of former dependent Claims 31 and 32 into the 
independent claims. 

With respect to the subject matter of former Claim 3 1 (now at least substantially 
incorporated into the independent claims), the Examiner has relied on Col. 5 S lines 24-59 
from McRae to make a prior art showing of applicant's claimed technique "wherein the 
first set of packet characteristics includes at least one of a destination address, a protocol 
type, and a destination port number" (see this or similar, but not necessarily identical 
language in the independent claims) 

Applicant respectfully asserts that the excerpt relied upon by the Examiner merely 
teaches "an exemplary procedure that allows for the creation of data tables for header 
values that match against a set of classification rules" (Col. 5, lines 24-26) and that "the 
packet header involved in the packet classification is divided into sections (fields) such as 
16 bit portions " (Col. 5, lines 27-29 - emphasis added). Additionally, McRae teaches 
that "(t]he results in the final data lookup table represent all the possible packets to be 
classified" (Col. 5, lines 44-46), However, McRae fails to specifically suggest any of a 
" destination address , a protocol type , and a destination p rj number " (emphasis added) 
in the context claimed by applicant. Clearly, dividing a packet header into sections, such 
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as 16 bit portions, as in McRae, falls to even suggest " classifying the data packets based 
least > iestination adclre p otoml type <snd a decimation port numbc-i' 
(see the same or similar, but not necessarily identical language in the independent claims- 
emphasis added), as specifically claimed by applicant. 



Additionally, with respect to the subject matter of former Claim 32 (now at least 
substantially incorporated into the independent Claims I and 30, and at least substantially 
previously included in Claim 20), the Examiner has relied on the following excerpt from 
McRae to make a prior art showing of applicant's claimed technique "wherein the second 
set of packet characteristics includes at least one of a packet type and a size" (see this or 
similar, but not necessarily identical language in the aforementioned independent claims). 



"An action of mat 

:d as a m< 

a packet header has a total of 114 ) 
UP) address: 32 bits, each layer 4 

s ] ' dl}ad..adi..^ 
~)J .■: -a a CAM to classify t • • ...;-".[•. a :i packets. While this 
guarantee-s that, f-vety incoming puohad would ee classified, the 
memory si.se involved would make the implementation impractical. 

An observation is xaade that the rules ther&selves need not treat 
the packet header as one single header, but ■» , t ' a packet 

header ; field cc For example, eaoh rule 

oaa s sua ate i. y speed. ;:y vaeet: fat Id sot.u::» and. desdd. na t :aaa 
aasdssssa.;:, If protocol aaa a iaa . Soma idle ids- ;au a dava implicit: 
t wfiber.-> ;tf e p~. o ■ ' ed , 1 tit- IP 

protocol may need to be specified as either a Transmission 
Control Protocol (TCP} or a User Datagram Protocol (uOP) . In 

and a mask of zeros , " {'Col. 3, line 60 - Col. 4, line 15 ■-■ 
emphasis added; 



Applicant respectfully asserts that the excerpt relied upon by the Examiner merely 
teaches that "[a]n action of matching a packet against a database of rules (or rulesets) can 
be implemented as a memory lookup" where "each packet header field could be treated 
separately." Further, McRae teaches thai "each rule can separately specify values for IP 
source and destination addresses, IP protocol and etc.' 1 However, simply disclosing that 
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rules can specify source and destination addresses separately, as in McRae, fails to even 
suggest "at least one of a p i a size " (em pi s added), as claimed by 

applicant In fad VicR t. fa.i s t , ei , i stage capable of 

classifying the data packets received from the first classification stage based on [the] 
second set of characteristics ,' 1 where "the second set of packet characteristics includes at 
least one of a packet type and a size" (see Claims 1 and 30-emphasis added), or "a second 
stage classify ■ • >erahle to classify said packets within each of the groups according to 
packet type or size" {see Claim 20-emphasis added), as claimed by applicant. 

Again, applicant respectfully asserts that at least the first and third elements of the 
prima facie case of obviousness have net been met, as noted above. Thus, a notice of 
allowance or specific prior art showing of each of the foregoing claim elements, in 
combination with the remaining claimed features, is respectfully requested. 

Applicant further notes that the prior an is also deficient with respect to the 
dependent claims. For example, with respect to Claim 33, the Examiner has relied on. 
Col, 5, lines 24-59 from McRae to make a prior art showing of applicant's claimed 
technique "wherein only the second classification stage remains in communication with a 
flow table for identifying an action to be taken with respect to the data packets." 

Applicant respectfully asserts that the excerpt relied upon by the Examiner merely 
teaches "an exemplary procedure that allows for the creation of data tables for header 
values that match against a set of classification rules" (Col. 5, lines 24-26) and thai "[fjhe 
results in the final data lookup table represent all the possible packets to be classified" 
(Col. 5, lines 44-46). However, McRae fails to even suggest a technique "wherein only 
the second classification stage remains in communication with a flow table for 
identifying an action to be taken with respect to the data packets" (emphasis added), as 
claimed by applicant, in fact, McRae fails to even suggest '"[a] second classificatio n 
staged not to mention a technique "wherein only the second classif i t> , em m 
in communication with a How table for identifying an action to be taken with respect to 
the data packets" (emphasis added), as claimed by applicant. 
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Again, since at least the first and third elements of tine prima facie case of 
obviousness have not. been met, as noted above, a notice of allowance or proper prior art 
showing of each of the for< gob Saim elements, in combination with the remaining 
claimed features, is respectfully requested. 

Still yet, applicant, brings to the Examiner's attention the subject, matter of new 
claims 36-37 below, which are added for full consideration: 

"wherein the action includes dropping at least one of the data packets and 
updating one or more fields in the flow table" (see Claim 36); and 

"wherein the packet type is determined based on a TCP flag" (see Claim 

37). 

Again, a notice of allowance or a proper prior art showing of all. of applicant's 
claim limitations, in combination with the remaining claim elements, is respectfully 
requested. Thus, all of the independent claims are deemed allowable. Moreover, the 
remaining dependent claims are further deemed allowable, in view of their dependence 
on such independent claims. 

In the event a telephone conversation would expedite the prosecution of this 

application, the Examiner may reach the undersigned at (408) 505-5 1 00. The 

Commissioner is authorized to charge any additional fees or credit any overpayment to 

Deposit Account No. 50-1351. (Order No. NAI1P318). 

Respectfully submitted, 
Zilka-Kotab, PC, 

/K.EVTNZILKA/ 

Kevin I Ziika 

P.O. Box 721 120 Registration No. 41 ,429 

San Jose, CA 95172-1120 

408-505-5100 



